AI Agents Aren’t Employees: Why Identity Isn’t Enough
For more than thirty years, enterprise security has been built around answering one fundamental question.
Who are you?
We’ve built increasingly sophisticated systems to answer that question. LDAP. Active Directory. Identity providers. Multi-factor authentication. Identity and Access Management. Privileged Access Management.
Now we’re extending those same concepts to AI agents.
Microsoft, Okta, SailPoint, and others are rapidly building identity and governance capabilities for autonomous AI agents. They’re giving AI agents identities, assigning permissions, improving visibility, managing lifecycles, and applying many of the same security principles we’ve relied on for decades.
That’s exactly the right direction.
AI agents should have identities.
They should have owners.
They should have least-privilege access.
They should be governed, monitored, and audited.
Those capabilities are foundational. But I also think they’re only the beginning.
For decades, enterprise security has quietly depended on a second assumption.
The identity belongs to a human.
Humans aren’t governed solely by technical controls. Their behavior is influenced by incentives and consequences.
Employees want to earn a paycheck.
They value healthcare and other benefits.
They hope to advance their careers.
They care about their professional reputation.
Many take pride in doing the right thing.
At the same time, they understand there are consequences for violating company policy or breaking the law. They could lose their job, lose their income and benefits, damage their professional reputation, and in some cases face civil or criminal penalties, including fines or imprisonment.
None of those things guarantee good behavior.
People still make mistakes.
Some act maliciously.
Others ignore the rules.
But our security programs have always relied on more than identity. They’ve relied on the fact that people have something at stake.
AI agents are different.
They aren’t influenced by incentives the way people are. Instead, their behavior is governed by objectives, constraints, policies, context, and the controls we build around them.
That distinction matters.
Today’s AI security conversation is largely focused on questions like these:
Who is this AI agent?
Who owns it?
What systems can it access?
What actions is it authorized to perform?
Those are important questions.
But I think we’re missing another one.
Why should we expect this AI agent to behave as intended?
Identity tells us who an AI agent is.
Governance determines what it’s allowed to do.
The unanswered question is what influences behavior.
Prompt injection illustrates the challenge. We often compare prompt injection to social engineering because an attacker manipulates an AI into following instructions it shouldn’t.
When a person falls for a phishing email, they may become more cautious because they understand there can be personal and professional consequences. An AI agent may improve over time through updated models, engineered memory, or external governance. But that is different from changing behavior because it anticipates consequences.
Learning and deterrence are not the same thing.
As organizations deploy thousands, and eventually millions, of AI agents, we’ll continue making tremendous progress in identity, governance, and lifecycle management.
We should.
Those capabilities are essential. But they answer only the first two questions.
Identity.
Governance.
Behavior.
We’ve spent decades securing identities.
The next challenge is securing behavior.
What do you think?
Have we spent so much time securing identities that we’ve overlooked what influences behavior?
I’d love to hear how you’re thinking about this.



